Dovetailing Cybersecurity into an IoT World

Dovetailing Cybersecurity into an IoT World

Why an ecosystem approach is the way to go

  • By Vince Ricco
  • Apr 01, 2016

When it comes to cybersecurity the world falls into two camps: those focused on securing their hardware and applications as a closed system, and those who recognize that converging technologies calls for a more ecosystem-centric approach. My early days in the world of physical security systems, especially in video surveillance, initially planted me firmly in the first camp. But as I’ve watched the migration from analog to IP-based technology and the accelerated convergence of technologies on a shared backbone I’ve shifted my views.

In this new IoT ecosystem, every cyber security measure that manufacturers and integrators put into play can impact every other device and application on the network. So it’s imperative that the synergy between systems and devices not only happens on an operational level, but also on a cybersecurity level.

Working Together

Today’s ecosystem is comprised of multiple vendors and building blocks working together to create a complete solution. Added to this mix are the BYOD technologies, smartphones, laptops and tablets that gain access to the system. All of these devices and applications represent potential cyber risk, whether through broadband access or cloud exposure. It could be a Trojan horse accidentally introduced through a personal intelligent device or a determined hacker exploiting an unsecured connection to cloud storage.

Even if physical security is run on a separate backbone from the corporate IT infrastructure, oftentimes an impractical and cost prohibitive solution, mishaps happen: an inadvertent connection to a broadband router, an accidental cross connection to the data network in a wiring closet or any number of unintentional oversights. It’s important to remember that cybersecurity is never a guarantee.

In the face of all these challenges, how do you develop an effective cybersecurity strategy?

Securing an Inter-connected Web of Systems

The solution is to find an optimal way of dovetailing the best practices of both the physical security world with the best practices of a traditional IT domain without introducing new cybersecurity vulnerabilities for other components in the converged system. That involves testing and fine-tuning a lot of moving parts.

On the physical security side of the ecosystem this could be everything from emergency broadcast systems to access control systems, security cameras and video and audio analytics. On the IT side, it could be everything from finance to personnel to telephony. Then there’s cross-pollination, using physical security metadata to glean business intelligence that extends beyond safety and security in other company operations like marketing and merchandising, further blurring the line between physical security and IT.

In a closed system such as home security and intelligent automation, the number of vulnerability points is somewhat limited. The components talk to each other in their own home network ecosystem. That may include:

  • Door and window sensors
  • Intelligent thermostats for each heating/cooling zone
  • Intelligent lighting controls
  • Video surveillance cameras
  • Network connection for remote monitoring and access via smart apps (through Wi-Fi, Blue Tooth, Ethernet or other connectivity technology).

Behind the Router

This ecosystem typically runs off of a single subnet behind a router with, hopefully, some firewall protection. Cyber threats usually come from a device within the home network being hacked or hijacked and sending network access information back to a third party. Or the remote smart application interface gets hacked allowing a third party to gain access to the home network and maliciously turn off the heating and cooling systems. Manufacturers in the IoT home protection and automation industry tend to have more control over user and device interfaces and therefore can commonly deploy the latest generation point-to-point and point-to-multipoint cyber protection technologies across the system.

In a converged ecosystem such as an IP-based physical security scenario, the cyber threats and vulnerabilities become far more complex. Not only does the number of components increase, so do the number of vendors that are supplying that technology and the number of users accessing them. For instance, the ecosystem might include:

  • IP video cameras (from one or multiple vendors) capable of transmitting high-resolution video as well as high-quality audio recordings.
  • IP access control devices or legacy analog access control panels and readers that communicate over the network to the physical security management system.
  • One to multiple video management systems (VMS) that possibly come from yet another vendor.
  • A server or servers that the VMS are running.
  • One too many viewing clients (PCs and mobile devices with access to the camera video either directly from the cameras or via a connection to the VMS.)
  • Network storage for retention of the video from the VMS.

To mitigate risks in this kind of an open ecosystem, you need all the vendors operating off the same cybersecurity playbook.

Finding Common Ground to Mitigating Cyber Risks

IT, physical security and technology manufacturers should be working as a cohesive unit, reaching consensus on current standards and current cyber mitigation technologies that really reflect “Highest Common Denominator” cyber risk mitigation techniques. For instance, the common baseline for cybersecurity applications and protocols often begins with the network infrastructure. That could include strategic measures such as using traditional VLAN technology to separate surveillance video from other data traffic on the network traffic. A unified cybersecurity methodology might also include implementing 802.1x access control using an authenticator such as a RADIUS or TACAS server.

For larger enterprise networks, cybersecurity often includes linking a secure device’s Certification Authority (CA) with an Active Directory (AD). Of course that means vendors need to provide components that support these implementations.

In most cases, the video surveillance cameras and VMS are selected by the project owner based on two main criteria: their specific intended use, perimeter protection, surveillance in crowded public areas, and the strength of the vendor to satisfy that specific use. But there’s a third criteria that needs to be considered as well: does Camera Manufacturer A support the same security protocols as VMS Manufacturer B and do these protocols tie seamlessly into IT’s current suite of hardware, software and cyber protection protocols?

Who Owns Connectivity?

Since the ecosystem runs on IT’s infrastructure, it raises another important question: Who’s responsible for the connectivity? It wasn’t long ago that IT was insisting: “No IP video over my backbone.” But now businesses are readily accepting that it’s just not cost-effective to run parallel networks. It puts a strain on everyone’s budget, for infrastructure cost as well as personnel to install, manage and maintain each network.

So does this mean that the cybersecurity strategies for the physical security network-attached systems and device now belong to IT? Or does the physical security department mandate that IT support the cybersecurity technologies inherent in physical security’s solutions? The simplest answer is that physical security management needs to work with their providers (integrators and manufacturers) and IT to devise solutions that are inherently supportive of IT’s current methodologies for cyber risk mitigation.

Making Sure Cybersecurity is a Team Effort

The similarities in cyber protection technologies between IoT and physical security might be self-evident, but there are some key concerns that should remain at the forefront of any system builder. No matter how sophisticated IoT devices and systems become they still operate in an IT world. And as such, they need to adopt a cooperative cyber protection strategy with IT. Mature IoT technologies such as physical security will need to evolve in order to benefit from some of the great emerging IoT cyber protection techniques such as higher use of Crypto Keys and Lock-Box strategies.

In the meantime, those in the trenches will have to determine which environment we live in and address the increasing risk of cyber threats as a joint effort between vendor and security professionals and IT. We need to work with common tools to provide the end-user with the best possible cyber protection while living within budgetary constraints.

This article originally appeared in the April 2016 issue of Security Today.

Featured

  • 66 Percent of Cybersecurity Pros Say Job Stress is Growing

    Sixty-six percent of cybersecurity professionals say their role is more stressful now than it was five years ago, according to the newly released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • Live from GSX 2024: Post-Show Recap

    Another great edition of GSX is in the books! We’d like to thank our great partners for this years event, NAPCO, LVT, Eagle Eye Networks and Hirsch, for working with us and allowing us to highlight some of the great solutions the companies were showcasing during the crowded show. Read Now

    • Industry Events
    • GSX

  • Research: Cybersecurity Success Hinges on Full Organizational Support

    Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce. Read Now

  • Live from GSX 2024: Day 3 Recap

    And GSX 2024 in Orlando, is officially in the books! I’d like to extend a hearty congratulations and a sincere thank-you to our partners in this year’s Live From program—NAPCO, Eagle Eye Networks, Hirsch, and LVT. Even though the show’s over, keep an eye on our GSX 2024 Live landing page for continued news and developments related to this year’s vast array of exhibitors and products. And if you’d like to learn more about our Live From program, please drop us a line—we’d love to work with you in Las Vegas at ISC West 2025. Read Now

    • Industry Events
    • GSX
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3